Jan Cholasta wrote:

you can find a draft of the design document for this feature at

Comments are welcome.


Shared certificate store.

DM should not be required. It may be required initially, but we have a long-term goal of removing the need to be DM to perform operations. Note that this would only probably be practical in a single-389-ds install.

Does readable by everyone include anonymous? I think it does but probably best to spell it out.

Automatic renewal of IPA CA certificate.

certmonger currently has no notification capabilities. How will anyone know that the renewal has failed unless they happen to run getcert list? Unfortunately I don't really have an answer. An MTA is looking more and more necessary.

What certmonger CA backend will be used for renewing an external CA? Perhaps that can be used as some sort of notification via syslog?

Are you sure you can change the signing chain, essentially on-the-fly? I imagine that the math will work ok but I don't know if changing the issuer is valid.

I think the trust flag should include code signing by default since we sign an object cert for Firefox. It would also probably be forward-looking to go ahead and include clients as well.

Distributing CA certificates to clients

I think a certmonger CA-refresher backend should be done first. I echo Martin's concerns about hourly polling and the load that entails. It also doesn't cover all cases, like if you set up a web server using an IPA cert there is no way to pick up the new CA.

Also, we issue a 20-year CA which means in the case where someone lets it just run through there would be 175k polls to do nothing, then one to get the new CA. That's a lot of cache misses.


For the external case are you storing the original CSR anywhere? Do you know how to generate a new CSR re-using the same key (I don't)?


Freeipa-devel mailing list

Reply via email to